Plattform
java
Komponente
pingidentity-idm
Behoben in
7.2.3
7.3.2
7.4.2
7.5.1
7.1.1
CVE-2025-20628 represents an insufficient granularity of access control vulnerability within PingIDM (formerly ForgeRock Identity Management). This flaw allows attackers to potentially spoof a client-mode Remote Connector Server (RCS) to intercept or modify sensitive user properties, such as passwords and account recovery information. The vulnerability specifically impacts versions 7.2.0 through 7.5.0 of PingIDM, and requires an RCS to be configured in client mode for exploitation. No official patch is currently available.
The impact of CVE-2025-20628 is significant, particularly for organizations relying on PingIDM for authentication and identity management. Successful exploitation could allow an attacker to compromise user accounts by intercepting or modifying passwords and account recovery information. This could lead to unauthorized access to sensitive data, systems, and applications. The potential for lateral movement within the network is also a concern, as a compromised account could be used to gain access to other resources. The blast radius extends to all users and applications relying on PingIDM for authentication. While the vulnerability requires an RCS to be configured in client mode, the potential consequences warrant immediate attention.
CVE-2025-20628 was published on 2026-04-07. Currently, there are no publicly available Proof-of-Concept (POC) exploits. The vulnerability is not listed on CISA KEV or EPSS, suggesting a low probability of active exploitation at this time. However, the potential impact warrants proactive mitigation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-20628 is to disable Remote Connector Servers (RCS) from running in client mode. If RCS in client mode is required, implement strict access controls to limit who can configure and manage them. Regularly review RCS configurations to ensure they adhere to security best practices. Consider implementing multi-factor authentication (MFA) to add an extra layer of security, even if an attacker manages to compromise a password. Monitor PingIDM logs for any suspicious activity related to RCS connections. There are no specific WAF rules or detection signatures readily available, so a layered security approach is recommended.
Actualice PingIDM a una versión corregida. Consulte la documentación de Ping Identity o las notas de la versión para obtener instrucciones específicas sobre cómo aplicar la corrección y mitigar el riesgo de interceptación o modificación de datos de identidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
A Remote Connector Server (RCS) in client mode is a component of PingIDM that connects to other systems to synchronize identity data. Client mode implies the RCS relies on a central server for authentication and authorization.
Review your RCS configurations within the PingIDM admin console. Look for settings that specify the RCS's operating mode.
It means granting users and system components only the permissions necessary to perform their tasks, minimizing the attack surface.
Immediately isolate the affected system from the network, review audit logs for suspicious activity, and contact PingIDM support for assistance.
There is currently no estimated timeframe for a fix. Monitor PingIDM security advisories for updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.